CN114338096A - Configuration method of process layer isolation device - Google Patents
Configuration method of process layer isolation device Download PDFInfo
- Publication number
- CN114338096A CN114338096A CN202111506947.6A CN202111506947A CN114338096A CN 114338096 A CN114338096 A CN 114338096A CN 202111506947 A CN202111506947 A CN 202111506947A CN 114338096 A CN114338096 A CN 114338096A
- Authority
- CN
- China
- Prior art keywords
- goose
- isolation device
- steps
- data stream
- configuring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 230000008569 process Effects 0.000 title claims abstract description 43
- 238000002955 isolation Methods 0.000 title claims abstract description 34
- 241000272814 Anser sp. Species 0.000 claims abstract description 48
- 238000004891 communication Methods 0.000 claims description 6
- 238000012423 maintenance Methods 0.000 abstract description 4
- 230000008676 import Effects 0.000 description 3
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 2
- 102100035190 GPI ethanolamine phosphate transferase 3 Human genes 0.000 description 1
- 101001093756 Homo sapiens GPI ethanolamine phosphate transferase 3 Proteins 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02E—REDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
- Y02E60/00—Enabling technologies; Technologies with a potential or indirect contribution to GHG emissions mitigation
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S10/00—Systems supporting electrical power generation, transmission or distribution
- Y04S10/16—Electric power substations
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The invention discloses a configuration method of a process layer isolation device, which comprises the following steps of 1, leading an SCD model of a transformer substation into the process layer isolation device; step 2, extracting effective GOOSE/SV data streams from the SCD model, wherein the data stream attributes include: a destination MAC address, a message type, a virtual local area network ID, an application identifier, a GOOSE control block/SMV control block; step 3, accessing the process layer isolation device to a network in a full-pass strategy mode, sniffing the flow, and extracting GOOSE/SV connection from the flow; and 4, connecting and matching the GOOSE/SV extracted in the step 3 with the effective GOOSE/SV data stream in the step 2, generating white list configuration, and alarming the unmatched data stream. The configuration method of the process layer isolation device provided by the invention reduces the field configuration work and improves the efficiency and accuracy of the operation and maintenance management of the transformer substation.
Description
Technical Field
The invention relates to a process layer isolation device configuration method, and belongs to the technical field of intelligent substation control methods.
Background
With the popularization of intelligent substations and the increasing importance of network security of substations, the security problem of a substation process layer network is gradually revealed. Network security of a station control layer network or a scheduling data network is mainly considered in network security of a traditional transformer substation, but security of a process layer network is often ignored. In fact, the process level network, being the closest network to the primary device, directly affects the acquisition and control of data, and if the process level network is invaded, the impact is significant.
The main risks of the process level network come from the distribution network process level network outside the station and the interconnection inside the station. Security of the off-site network access within the station requires careful consideration due to the greater performance of the off-site network exposure and attack. Engineers often lack specialized knowledge to configure process level isolators in depth, and the efficiency or safety of field work is compromised.
The above problems are problems that those skilled in the art are urgently required to solve.
Disclosure of Invention
The purpose is as follows: in order to overcome the defects in the prior art, the invention provides a process layer isolation device configuration method, which takes into account that a substation has an SCD file of a total station model, extracts an effective GOOSE/SV data stream in the SCD model, matches flow information of a process layer isolation device, obtains white list configuration of the process layer isolation device, and improves the efficiency and accuracy of operation and maintenance management of the substation.
The technical scheme is as follows: in order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a method of configuring a process level isolation device, comprising the steps of:
step 1, importing the SCD model of the transformer substation into a process layer isolation device.
Step 2, extracting effective GOOSE/SV data streams from the SCD model, wherein the data stream attributes include: destination MAC address, message type, virtual local area network ID, application identifier, GOOSE control block/SMV control block.
And 3, accessing the process layer isolation device to a network in a full-pass strategy mode, sniffing the flow, and extracting GOOSE/SV connection from the flow.
And 4, connecting and matching the GOOSE/SV extracted in the step 3 with the effective GOOSE/SV data stream in the step 2, generating white list configuration, and alarming the unmatched data stream.
Preferably, in step 1, the SCD model of the substation comprises a model of the devices that the total station needs to communicate through GOOSE/SV.
Preferably, the method for introducing the process layer isolation device includes: the device is imported through a web configuration interface of the process layer isolation device, or the SCD model is copied in a mobile memory and imported into a device fixed directory through a USB interface of the device.
Preferably, step 2 specifically comprises: and obtaining the effective destination MAC address, message type, virtual local area network ID and application identification of the GOOSE/SV data stream by matching the Communication label and setting the attribute in the subnet label as IECGOOSE or SMV.
Preferably, step 2 specifically comprises: GOOSE control block attributes of valid GOOSE data streams are obtained by matching the GSEControl label under the IED label.
Preferably, step 2 specifically comprises: the SMV control block attributes of the valid SV data streams are obtained by matching the SMV and SampledValueControl tags under the IED tags.
Preferably, the GOOSE/SV connection attributes extracted from the traffic in step 3 include: source MAC address, destination MAC address, message type, virtual local area network ID, application identification, GOOSE control block/SMV control block, flow inlet interface and flow outlet interface.
Preferably, the specific matching method in step 4 is as follows: comparing the sniffed GOOSE/SV data stream with the effective GOOSE/SV data stream in step 2 one by one; and if the matching is successful, forming a white list configuration.
Preferably, if the matching in step 4 is not successful, the unmatched data stream is alarmed. The alarm mode may be a syslog mode or a snmp mode.
Has the advantages that: the configuration method of the process layer isolation device provided by the invention can reduce the field configuration work and improve the efficiency and accuracy of the operation and maintenance management of the transformer substation.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention.
Detailed Description
The present invention will be further described with reference to the following examples.
The related technical terms in the present application are explained as follows:
scd (substation configuration description) substation configuration description Communication.
Goose (generic Object Oriented Substation event) generic Object Oriented Substation event.
SV (sampled value) sample value.
SMV (sampled Measured value) samples the Measured value.
A subnet.
ied intelligent electronic device.
apName (access point name) access point name.
An embodiment of a method for configuring a process-level isolation device according to the present application, as shown in fig. 1, includes the following steps:
and S100, importing the SCD model of the transformer substation into a process layer isolation device.
The SCD model here includes a model of the device that the total station needs to communicate through GOOSE/SV. The import method can choose to import through the web configuration interface of the process layer isolation device, or copy the SCD model in the mobile memory to import into the device fixed directory through the USB interface of the device.
S200, extracting effective GOOSE/SV data stream from the SCD model.
The SCD model is in a standard XML format, and the effective destination MAC address, message type, virtual local area network ID and application identification of the GOOSE/SV data stream are obtained by matching Communication tags and enabling attributes in the sub network tags to be IECGOOSE or SMV.
The relevant contents in the SCD example are as follows:
<Communication>
<SubNetwork desc="" name="ProceseGoose" type="IECGOOSE">
< connected AP apName = "G1" desc = "Process layer GOOSE" iedName = "PCSDA2" >)
<GSE cbName="GO_Gcb1" ldInst="PIGO">
<Address>
<P type="MAC-Address">01-0C-CD-01-02-1B</P>
<P type="VLAN-ID">000</P>
<P type="APPID">0211</P>
<P type="VLAN-PRIORITY">4</P>
</Address>
<MinTime multiplier="m" unit="s">2</MinTime>
<MaxTime multiplier="m" unit="s">5000</MaxTime>
</GSE>
<SubNetwork desc="" name="ProceseSMV" type="SMV">
< connected ap apName = "M1" desc = "SMV service function" idname = "PCSASSIST" >)
<SMV cbName="Smvcb1" ldInst="MUSV">
<Address>
<P type="MAC-Address">01-0C-CD-04-40-04</P>
<P type="VLAN-ID">000</P>
<P type="VLAN-PRIORITY">4</P>
<P type="APPID">4004</P>
</Address>
</SMV>
The GOOSE/SV data stream can be seen with the destination MAC address, VLAN-ID, APPID.
<GSEControl appID="PCSASSISTPIGO/LLN0.gocb0" confRev="1" datSet="dsGOOSE21" desc="" name="gocb0" type="GOOSE"/>
Datset (Datset above), GoID (appID above) of the GOOSE data stream can be seen.
<SampledValueControl confRev="1" datSet="dsSMV1" multicast="true" name="Smvcb1" nofASDU="1" smpRate="80" smvID="PCSASSISTMUSV/LLN0.Smvcb1">
<SmvOpts refreshTime="false" sampleRate="false" sampleSynchronized="true" security="false"/>
</SampledValueControl>
The SVID of the SV data stream (smvID above) can be seen.
And so on, all the parameters meeting the requirements are extracted.
S300, accessing the process layer isolation device to a network in a full-pass strategy mode, sniffing the flow, and extracting GOOSE/SV connection from the flow;
the GOOSE/SV connection attributes extracted from the traffic include: source MAC address, destination MAC address, message type, virtual local area network ID, application identification, GOOSE control block/SMV control block, flow inlet interface and flow outlet interface.
For example, the process level isolation device now obtains two communication pairs:
(1) source MAC address B4:4C: C4:02:22:24, destination MAC address 01:0C: CD:01:02:1B, packet type 0x88B8 (GOOSE packet), virtual local area network ID 0x00, application identifier 0x0211, GOOSE control block attributes include: the DatSet is dsGOOSE21, the GoID is PCASSISTPIIGO/LLN0. gocb0, the flow enters the interface eth0, and the flow exits the interface eth 1.
(2) The source MAC address B4:4C: C4:02:22:24, the destination MAC address 01:0C: CD:04:40:04, the packet type 0x88BA (SV packet), the virtual local area network ID is 0x00, the application identifier 0x4004, and the SMV control block attributes include: smvID is PCSSISTMISV/LLN0. Smvcb2, traffic enters interface eth0 and traffic exits interface eth 1.
S400, matching the GOOSE/SV connection extracted in step S300 with the valid GOOSE/SV data stream in step S200, generating a white list configuration, and alarming the unmatched data stream. The alarm mode may be a syslog mode or a snmp mode.
The matching mode here is one-by-one matching of attributes, and attributes which are not matched include: source MAC address, ingress interface and egress interface. These several attributes can be directly filled into the white list according to the values actually obtained. Unless there is control over these attributes, such as MAC address binding, no additional judgment is made.
According to the method, a white list of the GOOSE flow is generated, the SV flow generates an alarm due to mismatching of smvIDs, the alarm can be obtained through local query, and can also be sent to a remote centralized management server through syslog or snmp, and the operation and maintenance personnel further judge the alarm.
The above description is only of the preferred embodiments of the present invention, and it should be noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the invention and these are intended to be within the scope of the invention.
Claims (9)
1. A method for configuring a process level isolation device, comprising: the method comprises the following steps:
step 1, importing an SCD model of a transformer substation into a process layer isolation device;
step 2, extracting effective GOOSE/SV data streams from the SCD model, wherein the data stream attributes include: a destination MAC address, a message type, a virtual local area network ID, an application identifier, a GOOSE control block/SMV control block;
step 3, accessing the process layer isolation device to a network in a full-pass strategy mode, sniffing the flow, and extracting GOOSE/SV connection from the flow;
and 4, connecting and matching the GOOSE/SV extracted in the step 3 with the effective GOOSE/SV data stream in the step 2, generating white list configuration, and alarming the unmatched data stream.
2. The method of claim 1, wherein the step of configuring the process-level isolation device comprises the steps of: in step 1, the SCD model of the substation includes a model of a device that needs to communicate through GOOSE/SV in the total station.
3. The method of claim 1, wherein the step of configuring the process-level isolation device comprises the steps of: the method for introducing the process layer isolation device comprises the following steps: the device is imported through a web configuration interface of the process layer isolation device, or the SCD model is copied in a mobile memory and imported into a device fixed directory through a USB interface of the device.
4. The method of claim 1, wherein the step of configuring the process-level isolation device comprises the steps of: the step 2 specifically comprises the following steps: and obtaining the effective destination MAC address, message type, virtual local area network ID and application identification of the GOOSE/SV data stream by matching the Communication label and setting the attribute in the subnet label as IECGOOSE or SMV.
5. The method of claim 1, wherein the step of configuring the process-level isolation device comprises the steps of: the step 2 specifically comprises the following steps: GOOSE control block attributes of valid GOOSE data streams are obtained by matching the GSEControl label under the IED label.
6. The method of claim 1, wherein the step of configuring the process-level isolation device comprises the steps of: the step 2 specifically comprises the following steps: the SMV control block attributes of the valid SV data streams are obtained by matching the SMV and SampledValueControl tags under the IED tags.
7. The method of claim 1, wherein the step of configuring the process-level isolation device comprises the steps of: the GOOSE/SV connection attributes extracted from the traffic in step 3 include: source MAC address, destination MAC address, message type, virtual local area network ID, application identification, GOOSE control block/SMV control block, flow inlet interface and flow outlet interface.
8. The method of claim 1, wherein the step of configuring the process-level isolation device comprises the steps of: the specific matching method in the step 4 comprises the following steps: comparing the sniffed GOOSE/SV data stream with the effective GOOSE/SV data stream in step 2 one by one; and if the matching is successful, forming a white list configuration.
9. The method of claim 1, wherein the step of configuring the process-level isolation device comprises the steps of: and if the matching in the step 4 is not successful, alarming the unmatched data stream, wherein the alarming mode is a syslog mode or a snmp mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111506947.6A CN114338096B (en) | 2021-12-10 | 2021-12-10 | Configuration method of process layer isolation device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111506947.6A CN114338096B (en) | 2021-12-10 | 2021-12-10 | Configuration method of process layer isolation device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338096A true CN114338096A (en) | 2022-04-12 |
| CN114338096B CN114338096B (en) | 2023-11-17 |
Family
ID=81051551
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111506947.6A Active CN114338096B (en) | 2021-12-10 | 2021-12-10 | Configuration method of process layer isolation device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338096B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106408207A (en) * | 2016-10-12 | 2017-02-15 | 国网辽宁省电力有限公司朝阳供电公司 | Modeling method and system for secondary virtual loop of intelligent substation |
| CN106982235A (en) * | 2017-06-08 | 2017-07-25 | 江苏省电力试验研究院有限公司 | A kind of power industry control network inbreak detection method and system based on IEC 61850 |
| CN108494578A (en) * | 2018-02-05 | 2018-09-04 | 国电南瑞科技股份有限公司 | A kind of transformer station process layer switch configuration information analysis method |
| CN109379255A (en) * | 2018-12-12 | 2019-02-22 | 国网宁夏电力有限公司电力科学研究院 | One kind being based on intelligent exchange process-level network flow monitoring method for early warning |
| CN111817889A (en) * | 2020-07-02 | 2020-10-23 | 中国南方电网有限责任公司 | Method for positioning connection error of process layer port of intelligent substation |
| US20200351249A1 (en) * | 2019-05-03 | 2020-11-05 | Cisco Technology, Inc. | Securing substation communications using security groups based on substation configurations |
| CN112003740A (en) * | 2020-08-06 | 2020-11-27 | 南京国电南自电网自动化有限公司 | Automatic multicast configuration method and system for substation switch |
| CN112073326A (en) * | 2020-07-30 | 2020-12-11 | 许继集团有限公司 | Intelligent substation process layer network data flow control method |
| CN112615808A (en) * | 2020-10-27 | 2021-04-06 | 国网浙江省电力有限公司绍兴供电公司 | Method, device and equipment for representing white list of process layer messages of intelligent substation |
| CN113542110A (en) * | 2020-04-15 | 2021-10-22 | 中国南方电网有限责任公司 | Intelligent substation process layer network storm positioning and eliminating method and system |
-
2021
- 2021-12-10 CN CN202111506947.6A patent/CN114338096B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106408207A (en) * | 2016-10-12 | 2017-02-15 | 国网辽宁省电力有限公司朝阳供电公司 | Modeling method and system for secondary virtual loop of intelligent substation |
| CN106982235A (en) * | 2017-06-08 | 2017-07-25 | 江苏省电力试验研究院有限公司 | A kind of power industry control network inbreak detection method and system based on IEC 61850 |
| CN108494578A (en) * | 2018-02-05 | 2018-09-04 | 国电南瑞科技股份有限公司 | A kind of transformer station process layer switch configuration information analysis method |
| CN109379255A (en) * | 2018-12-12 | 2019-02-22 | 国网宁夏电力有限公司电力科学研究院 | One kind being based on intelligent exchange process-level network flow monitoring method for early warning |
| US20200351249A1 (en) * | 2019-05-03 | 2020-11-05 | Cisco Technology, Inc. | Securing substation communications using security groups based on substation configurations |
| CN113542110A (en) * | 2020-04-15 | 2021-10-22 | 中国南方电网有限责任公司 | Intelligent substation process layer network storm positioning and eliminating method and system |
| CN111817889A (en) * | 2020-07-02 | 2020-10-23 | 中国南方电网有限责任公司 | Method for positioning connection error of process layer port of intelligent substation |
| CN112073326A (en) * | 2020-07-30 | 2020-12-11 | 许继集团有限公司 | Intelligent substation process layer network data flow control method |
| CN112003740A (en) * | 2020-08-06 | 2020-11-27 | 南京国电南自电网自动化有限公司 | Automatic multicast configuration method and system for substation switch |
| CN112615808A (en) * | 2020-10-27 | 2021-04-06 | 国网浙江省电力有限公司绍兴供电公司 | Method, device and equipment for representing white list of process layer messages of intelligent substation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338096B (en) | 2023-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105471656B (en) | A kind of abstract method for automatic system of intelligent transformer station O&M information model | |
| CN104967533B (en) | Increase the method and apparatus that IEC 61850 configures interface on a kind of SDN controllers | |
| CN214228280U (en) | Edge internet of things agent equipment | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN106953749A (en) | A kind of transformer station process layer network method of real-time | |
| CN101728869A (en) | Power station automation system data network security monitoring method | |
| CN100369434C (en) | Method for implementing virtual LAN based on WAPI system in WLAN | |
| CN104135740B (en) | The method of power distribution automation lradio communication failure positioning | |
| CN110138092A (en) | Transformer substation sequence control system and method with regulation main website Security Checking function | |
| CN101409017A (en) | Control system and method for priority signal facing to rapid public transportation | |
| CN111131274A (en) | Non-invasive intelligent substation vulnerability detection method | |
| CN106341296A (en) | Method of avoiding data message collision in communication network within transformer substation | |
| CN103532746A (en) | Method and system for generating business topology of industrial system | |
| CN111028386A (en) | Informationized shared equipment box control system and method | |
| CN107566370A (en) | A kind of intelligent grid message transmitting method | |
| CN114338096A (en) | Configuration method of process layer isolation device | |
| CN102647027A (en) | Method for realizing construction of power quality data exchanging interface | |
| CN104320305A (en) | Forwarding service monitoring method and system for network equipment | |
| CN112073326B (en) | Intelligent substation process layer network data flow control method | |
| CN109639492A (en) | A kind of smart substation equipment automatic identifying method and Network Management System | |
| CN102131072A (en) | System and method for realizing network video monitoring under internet platform | |
| CN107437286A (en) | A kind of rental housing network-enabled intelligent door lock management system | |
| CN103281199B (en) | Sensing layer equipment based on ID is in the unified recognition methods of Internet | |
| CN109587025A (en) | A kind of intelligent substation switch of port self study | |
| CN101651670A (en) | Integrated management method for services and users in Ethernet service operation and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |